This article was last updated as of Apr-10-18 at 12:46PM.
What’s the vulnerability?
Spectre and Meltdown represent a class of vulnerabilities affecting modern computer processors utilizing Intel’s CPU architecture. The vulnerabilities affect the majority of modern microprocessors, and allow an attacker with the ability to execute code on an affected system to randomly read memory locations for other running applications. Such data may include passwords, private keys, message contents, and more.
What can our customers do?
Shared SaaS: The VMware AirWatch SaaS Service team continues to give high priority to the issues identified by CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown). We have made significant progress applying Hypervisor-Specific Mitigation mitigations described here as well as Operating System-Specific Mitigations. In addition, Hypervisor-Assisted Guest Mitigations were recently made available for the platform and testing has begun to ensure stability and performance.
Dedicated SaaS: In the event VMware AirWatch must perform maintenance that will affect our service availability to our SaaS dedicated customer environments, AirWatch will work with you to determine suitable scheduling of these activities.
On-Premise: On-Premise environments managed by customers should be remediated in accordance with the guidance document provided by your operating system vendor(s). VMware AirWatch is in the process of evaluating our shipped products to determine whether patching is necessary. At this time, VMware AirWatch has not identified any AirWatch products requiring software patches.
Mobile Applications: VMware AirWatch is aware of reports that these vulnerabilities have been shown to affect common browser frameworks such as Chromium and WebKit. VMware AirWatch mobile applications such as VMware Browser do not ship copies of these libraries, but instead rely on the versions of these libraries provided by the underlying operating system (ex: Android and iOS). Therefore, VMware AirWatch mobile applications take advantage of the mitigations already shipped by OEM vendors. At this time, VMware AirWatch has not identified any necessary application changes or mitigations beyond those provided by the OEM vendor. Customers should continue to monitor vendors for updates to device platforms and libraries.
Make sure to subscribe to this knowledge base article for the latest information as it becomes available. In addition, sign up for the VMware Security Announcements mailing list to receive new and updated VMware Security Advisories relating to VMware products.
- FAQ: CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown)
- VMware Security & Compliance Blog
- VMSA-2018-0002: VMware ESXi, Workstation and Fusion updated address side-channel analysis due to speculative execution
- VMSA-2018-0003: vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities
- VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown) (52264)
Support Contact Information
The VMware Workspace ONE Team
Other Languages: 日本語